Enterprise Risk Management: Combating a Growing Organizational Threat

The
catastrophic meltdown of financial markets that began in September
2008 resulted in a full range of challenges—both old and new—for
organizations worldwide. Similar to other periods of adversity and
uncertainty, it prompted organizations to re-evaluate their
policies, processes and procedures from a renewed perspective, and
implement change wherever it was needed. One function that continues
to undergo particularly close scrutiny is enterprise risk management
(ERM).

The
Need for New Thinking About ERM

In
recognition of risk management’s elevated position on the leadership
agenda, we conducted a statistical survey sponsored by the AICPA and
completed by members who are CFOs or hold other senior management positions.

The
survey examined the factors that influence ERM, the status quo of
ERM, and the interactions between various types of risks, such as
strategic risk, operational risk, financial risk and hazard risk, to
a standard set of interacting organizational resources, such as
personnel and structure, processes and plans, facilities and
operational assets, customers and suppliers, and external resources.
Risk classes and sets of resources were then identified.

The
survey had two major objectives: (1) To test whether these
interactions are important to organizations and managers, and (2) to
investigate the perception of CFOs as to how, or how well,
organizations are addressing these interactions. The survey results
are presented here, along with a key set of managerial insights
based on our observations.

Areas
for Improvement

Positive
changes in risk management have occurred over the past few years. It
has become part of the organizational culture for a majority of
survey respondents. However, the existence of serious weaknesses in
ERM within the organizations surveyed revealed that additional
strides are necessary. Consider the following survey findings:

Only
41% of respondents said their organizations had a suitable
incentive system for top management to actively engage in
enterprise risk management. This finding points to the most
serious weakness in ERM among the organizations surveyed. To
remedy this, organizations must create direct incentives for top
managers to engage in ERM. Unfortunately, aligning incentives
with risk management, through education, core values, culture
and other means, remains a major organizational challenge.

Half
of the respondents believed that the knowledge infrastructure,
such as appropriate expertise and risk-reporting tools, that are
in effect in their organizations needed substantial
improvement.This indicates a lack of
good models and tools, a lack of implementations of such models
and tools, or a lack of data to support risk analyses.
These tools include both reporting tools and analysis tools.
Such tools should be available in computerized form, through
enterprise resource planning (ERP) systems or the like.

Approximately
50% of survey participants said that risk professionals were not
highly engaged in strategic risk managementnor
did they seem to have a major role in other risk categories
(operational, financial and hazard risk). These findings
indicate that organizations may not be using the input from risk
professionals efficiently. It also indicates that in most
organizations risk management activities are not accorded the
importance given top revenue-generating activities.Also, it may be that risk professionals need
to adopt a broader view as to the applicability of their area of
expertise. Again, the incentives are likely not present to
motivate the use of risk experts and ERM at a level high enough
to allow for proper considerations of the impact or the risk.Also,
only 39% of respondents would recommend their overall ERM
practices to their colleagues, which suggests a lack of
confidence in their own ERM practices.

Only
56% of respondents said that their available risk management
resources were being used to create optimal value for the
organization. This implies that there is potential for creating
more value for the organization with the existing level of
resources. Resources typically include broad classes of
firm-specific assets such as personnel, processes, facilities,
customers and suppliers, as well as external stakeholders and regulators.One
approach to this issue would be for CPAs to create industry best
practices and communication tools that demonstrate how similarly
situated organizations are making optimal use of their
risk-management resources and delivering top value in the
process.

Conclusions

The
survey said that 59% of respondents did not believe their
organization had appropriate incentives to encourage top management
to actively engage in ERM. This issue has become more pronounced
since the global financial crisis because of stronger financial
constraints, and a focus on cost cutting. In addition, events
outside of the financial sector have brought this problem to the
attention of the general public and to regulators

Designing
a structure that incentivizes leaders to manage risk effectively and
efficiently will be the greatest challenge for any organization,
whether in the financial sector, in offshore oil drilling, or
anywhere in between. The reason for this is that ERM remains a
complex, multifaceted, and strategic activity that requires
unprecedented levels of coordination and control, as well as
long-term perspectives.

Major
events, such as the recent economic crisis and failures in the
financial system, might just refocus attention to ERM, and lead to
either internal organizational changes or regulatory changes that
will clearly incentivize good risk management practices, and
hopefully elevate good ERM practice to a new level.

The Dodd-Frank
Wall Street Reform and Consumer Protection Act may
also incentivize organizations to improve ERM practices to reduce
future systemic failure. However, the act only addresses risks that
are obvious to regulators, and is not in any way a panacea for
ERM.

To
adequately manage risk, organizations must create the proper
incentives for ERM. These incentives must be institutionalized and
aligned with the actual ERM practices in the organization.
Organizations must also make efficient use of, and properly engage,
their risk professionals across organizational activities.

Finally,
both tools and information related to ERM must be improved, and made
accessible through commonly used ERP systems.

EXECUTIVE SUMMARY

The
catastrophic meltdown of financial markets that
began in September 2008 resulted in close scrutiny of
enterprise risk management (ERM).

The
authors conducted a statistical survey that
examined the factors that influence ERM, the status quo of
ERM, and the interactions between various types of risks. The
survey results are presented here, along with a key set of
managerial insights based on their
observations.

Areas
for improvement identified by the survey included: (1)Only
41% of respondents thought their organizations had a suitable
incentive system for top management to actively engage in
enterprise risk management; (2) half of the respondents
believed that the knowledge infrastructure, such as
appropriate expertise and risk-reporting tools, that was in
effect in their organizations needed substantial improvement;
(3) approximately 50% responded that risk professionals were
not highly engaged in strategic risk managementnor
did they seem to have a major role in other risk categories
(operational, financial and hazard risk); and (4) only 56% of
respondents believed that their available risk management
resources were being used to create optimal value for the organization.

Barry Mishra (barry.mishra@ucr.edu)
and Erik Rolland (erik.rolland@ucr.edu) are
professors in the Department of Accounting and Information
Systems at the A. Gary Anderson Graduate School of Management,
University of California–Riverside.

About the Survey

The
survey, A
Strategic Framework for Enterprise Risk Management & Identification,
was conducted by the research faculty at the A. Gary Anderson
Graduate School of Management, University of
California–Riverside. It was performed as part of the Management
Accounting Research Grant series sponsored by the AICPA.

Data
was collected between April 2 and May 12, 2009, through an
online survey instrument electronically sent to AICPA members in
business, industry and government who serve in CFO or equivalent
positions. The study received 227 partially or fully completed
surveys. Questions addressed factors related to enterprise risk
management within participants’ organizations, organizational
resources and the risk types their organizations are facing.

To
learn more about A
Strategic Framework for Enterprise Risk Management & Identification,
or to receive a copy of the survey, please contact the authors
at the e-mail addresses provided above.

To
comment on this article or to suggest an idea for another
article, contact Matthew G. Lamoreaux, senior editor, at mlamoreaux@aicpa.org or 919-402-4435.